From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 900DBA0548; Wed, 16 Jun 2021 18:07:36 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 529B54067A; Wed, 16 Jun 2021 18:07:36 +0200 (CEST) Received: from mail-vs1-f98.google.com (mail-vs1-f98.google.com [209.85.217.98]) by mails.dpdk.org (Postfix) with ESMTP id 4BEFD40140 for ; Wed, 16 Jun 2021 18:07:35 +0200 (CEST) Received: by mail-vs1-f98.google.com with SMTP id q2so1330393vsr.1 for ; Wed, 16 Jun 2021 09:07:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iol.unh.edu; s=unh-iol; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ITDpmsqEalvuSFulTj0s2wGYdoOKCyH/VuH48FpKFec=; b=IQtAX42YPx7AxGOYo495KLfd06Gcj4pNGyAsLOsJnuHpjTJxPdA3rzvjZiaZQAVa2M ECuZRFrZycVqxr4ry1a6kLXbvQPGARbC/ak+1Pm9oR6TSlBYZ4FYQD0n1a9m93QChImK z87gHBBdLl1HryNVmDxIUuUh9oxIHwEMWbUTY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ITDpmsqEalvuSFulTj0s2wGYdoOKCyH/VuH48FpKFec=; b=fWZmD2pJ80e553k8Nu/s06Ui6YqXehR5B2C7ahMeEOgQOA8zcDh7VxYDG8iy0OEXK6 7VQQbIaM7hfSUDRBCFvoyGqNLmFs42WWI4MJfqxADS2PMJyZV1D1cgnP/fK3OeqOvt8z Q9SrQkHx1uAYXSM+R8LHo/rBrbJjetObK1JzjO+FF8l9ZWWBuq+EP2k2yDjDgFG+BovC Lk8PiE6CxS0NlQkVD7OYtG6eI/JetjQkdliEI2KoEIjUG9C+mfuy2zHX2nFflFKu/Dtk 2cebhm8W+UgZZBXIgBlVgLcZijjPRTq47X1eAPn3nqRhD0pN0jWqDfdPjbj91K+AlCM+ UypQ== X-Gm-Message-State: AOAM533GsWhAvxBxsJXyNoZz70f08lC1AxrPynfYxElTyO0HaIC3C6VF 15C+Gjkxwu4gCKIKwBuNbMWTSHyV7BaBhNp5EEYE6bT1bgV8KrzTG7n79A2mxOhOi0GX85IN2c2 xA35FSk/r5R76pq8/hugIDqwxwOmiDPuRMt1IeV95CdQu3ep8t2yMCwvqUy1/HQ3gBEm7yf58hw == X-Google-Smtp-Source: ABdhPJw3sGWDuYQH1+pCblCThgrd4ljPJ1b34pNd7emH3G0tSx4LBIv5AfjWyBnoQpRmOLDQlsmIO6oItrzw X-Received: by 2002:a67:fe0a:: with SMTP id l10mr809814vsr.33.1623859654502; Wed, 16 Jun 2021 09:07:34 -0700 (PDT) Received: from postal.iol.unh.edu (postal.iol.unh.edu. [132.177.123.84]) by smtp-relay.gmail.com with ESMTPS id 128sm1048663vkb.12.2021.06.16.09.07.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 Jun 2021 09:07:34 -0700 (PDT) X-Relaying-Domain: iol.unh.edu Received: from iol.unh.edu (unknown [IPv6:2606:4100:3880:1220:5e2f:685e:142b:54c3]) by postal.iol.unh.edu (Postfix) with ESMTP id E4826605246B; Wed, 16 Jun 2021 12:07:33 -0400 (EDT) From: ohilyard@iol.unh.edu To: vladimir.medvedkin@intel.com Cc: dev@dpdk.org, david.marchand@redhat.com, Owen Hilyard Date: Wed, 16 Jun 2021 12:07:29 -0400 Message-Id: <20210616160730.348523-1-ohilyard@iol.unh.edu> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-dev] [PATCH] lib/rte_rib6: fix stack buffer overflow X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Owen Hilyard ASAN found a stack buffer overflow in lib/rib/rte_rib6.c:get_dir. The fix for the stack buffer overflow was to make sure depth was always < 128, since when depth = 128 it caused the index into the ip address to be 16, which read off the end of the array. While trying to solve the buffer overflow, I noticed that a few changes could be made to remove the for loop entirely. Signed-off-by: Owen Hilyard --- lib/rib/rte_rib6.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/lib/rib/rte_rib6.c b/lib/rib/rte_rib6.c index f6c55ee45..2de50449d 100644 --- a/lib/rib/rte_rib6.c +++ b/lib/rib/rte_rib6.c @@ -79,14 +79,20 @@ is_covered(const uint8_t ip1[RTE_RIB6_IPV6_ADDR_SIZE], static inline int get_dir(const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE], uint8_t depth) { - int i = 0; - uint8_t p_depth, msk; - - for (p_depth = depth; p_depth >= 8; p_depth -= 8) - i++; - - msk = 1 << (7 - p_depth); - return (ip[i] & msk) != 0; + int index, msk; + /* depth & 127 clamps depth to values that will not + * read off the end of ip. + * depth is the number of bits deep into ip to traverse, and + * is incremented in blocks of 8 (1 byte). This means the last + * 3 bits are irrelevant to what the index of ip should be. + */ + index = (depth & 127) >> 3; + /* + * msk is the bitmask used to extract the bit used to decide the + * direction of the next step of the binary search. + */ + msk = 1 << (7 - (depth & 7)); + return (ip[index] & msk) != 0; } static inline struct rte_rib6_node * -- 2.30.2